The need for markets-focused competition watchdogs and consumer-centric privacy regulators to think outside their respective ‘legal silos’ and find creative ways to work together to tackle the challenge of considerable tech market power was the impetus for a couple of fascinating panel discussions organized by the Centre for Economic Policy Research (CEPR), which were live-streamed yesterday but are available to view on-demand here.
The conversations brought together key regulatory leaders from Europe and the US — giving a glimpse of the future shape of digital markets oversight might look like when fresh blood has just been injected to chair the FTC. Hence, regulatory change is very much in the air (at least around tech antitrust).
CEPR’s discussion premise is that integration, not merely intersection, of competition and privacy/data protection law, is needed to get a proper handle on platform giants that have, in many cases, leveraged their market power to force consumers to accept an abusive ‘fee’ of ongoing surveillance.
That fee strips consumers of their privacy and helps tech giants perpetuate market dominance by locking out the interesting new competition (which can’t get the same access to people’s data, so it operates at a baked-in disadvantage).
A running theme in Europe for several years now, since a 2018 flagship update to the bloc’s data protection framework (GDPR), has been the ongoing under-enforcement around the EU’s ‘on-paper privacy rights — which, in certain markets, means regional competition authorities are now actively grappling with exactly how and where the issue of ‘data abuse’ fits into their antitrust legal frameworks.
The regulators assembled for CEPR’s discussion included, from the UK, the Competition and Markets Authority’s CEO Andrea Coscelli and the information commissioner, Elizabeth Denham; from Germany, the FCO’s Andreas Mundt; from France, Henri Piffaut, VP of the French competition authority; and from the EU, the European Data Protection Supervisor himself, Wojciech Wiewiórowski, who advises the EU’s executive body on data protection legislation (and is the watchdog for EU institutions’ own data use).
The UK’s CMA now sits outside the EU, of course — giving the national authority a higher-profile role in global mergers & acquisition decisions (vs. pre-Brexit), and the chance to help shape critical standards in the digital sphere via the investigations and procedures it chooses to pursue (and it has been moving very quickly on that front).
The CMA has several primary antitrust probes open into tech giants — including looking into complaints against Apple’s App Store and others targeting Google’s plan to deprecate support for third party tracking cookies (aka the so-called ‘Privacy Sandbox’) — the latter being an investigation where the CMA has actively engaged the UK’s privacy watchdog (the ICO) to work with it.
Only last week, the competition watchdog said it was minded to accept a set of legally binding commitments that Google has offered, which could see a quasi ‘co-design process taking place, between the CMA, the ICO, and Google, over the shape of the critical technology infrastructure that ultimately replaces tracking cookies. So a pretty significant development.
Germany’s FCO has also been very active against big tech this year — making full use of an update to the national competition law, which gives it the power to take proactive inventions around large digital platforms with major competitive significance — with open procedures now against Amazon, Facebook, and Google.
The Bundeskartellamt was already a pioneer in pushing to loop EU data protection rules into competition enforcement in digital markets in a strategic case against Facebook, as we’ve reported before. That closely watched (and long-running) case — which targets Facebook’s ‘superprofiling’ of users, based on its ability to combine user data from multiple sources to flesh out a single high dimension per-user profile — is now headed to Europe’s top court (so likely has more years to run).
But during yesterday’s discussion, Mundt confirmed that the FCO’s experience litigating that case helped shape critical amendments to the national law that’s given him beefier powers to tackle big tech. (And he suggested it’ll be a lot easier to regulate tech giants going forward, using these new national powers.)
“Once we have designated a company to be of ‘paramount significance,’ we can prohibit certain conduct much more easily than we could in the past,” he said. “We can prohibit, for example, that a company impedes another undertaking by data processing that is relevant for competition. We can deny that service use depends on the agreement to data collection with no choice — this is the Facebook case, indeed… When this law was negotiated in parliament very much referred to the Facebook case, and in a certain sense, this entwinement of competition law and data protection law is written in a theory of harm in the German competition law.
“This makes a lot of sense. If we talk about dominance and if we assess that this dominance has come into place because of data collection and data possession and data processing, you need a parameter in how far a company is allowed to gather the data to process it.”
“The past is also the future because this Facebook case… has always been a big case. And now it is up to the European Court of Justice to say something on that,” he added. “If everything works well, we might get an unequivocal ruling saying… as far as the ECN [European Competition Network] is concerned, how far we can integrate GDPR in assessing competition matters.
“So Facebook has always been a big case — it might get even bigger in a certain sense.” Meanwhile, France’s competition authority and its national privacy regulator (the CNIL) have also been joint working in recent years.
Including over a competition complaint against Apple’s pro-user privacy App Tracking Transparency feature (which last month the antitrust watchdog declined to block) — so there’s evidence there too of respective oversight bodies seeking to bridge legal silos to crack the code of how to effectively regulate tech giants whose market power, panelists agreed, is predicated on earlier failures of competition law enforcement that allowed tech platforms to buy up rivals and sew up access to user data, entrenching advantage at the expense of user privacy and locking out the possibility of future competitive challenge.
The contention is that monopoly power predicated upon data access also locks consumers into an abusive relationship with platform giants, which can then, in the case of ad giants like Google and Facebook, extract huge costs (paid not in monetary fees but in user privacy) for continued access to services that have also become digital staples — amping up the ‘winner takes all’ characteristic seen in digital markets (which is obviously bad for competition too).
Yet, traditionally at least, Europe’s competition authorities and data protection regulators have been focused on separate workstreams. The consensus from the CEPR panels was that that is both changing and must change if civil society is to get a grip on digital markets — and wrest control back from tech giants to ensure consumers and competitors aren’t left trampled into the dust by data-mining giants.
Denham said her motivation to dial-up collaboration with other digital regulators was the UK government entertaining the idea of creating a one-stop-shop ‘Internet’ super-regulator. “What scared the hell out of me was the policymakers, the legislators floating the idea of one regulator for the Internet. I mean, what does that mean?” she said. “So I think what the regulators did is we got to work, we got busy, we become creative, got out of our silos to try to tackle these companies — the likes of which we have never seen before.
“And I really think what we have done in the UK — and I’m excited if others believe it will work in their jurisdictions — but I think that what really pushed us is that we needed to show policymakers and the public that we had our act together. I believe consumers and citizens don’t really care if the solution they’re looking for comes from the CMA, the ICO, Ofcom… they just want somebody to have their back when it comes to protecting the privacy and security of markets.
“We’re trying to use our regulatory levers in the most creative way possible to make the digital markets work and protect fundamental rights.”
During the earlier panel, the CMA’s Simeon Thornton, a director at the authority, made some exciting remarks vis-a-vis its (ongoing) Google ‘Privacy Sandbox’ investigation — and the joint working it’s doing with the ICO on that case — asserting that “data protection and respecting users’ rights to privacy are very much at the heart of the commitments upon which we are currently consulting”.
“If we accept the commitments, Google will be required to develop the proposals according to several criteria including impacts on privacy outcomes and compliance with data protection principles, and impacts on user experience and user control over the use of their personal data — alongside the overriding objective of the commitments which is to address our competition concerns,” he went on, adding: “We have worked closely with the ICO in seeking to understand the proposals and if we do accept the commitments then we will continue to work closely with the ICO in influencing the future development of those proposals.”
“If we accept the commitments, that’s not the end of the CMA’s work — on the contrary that’s when, in many respects, the real work begins. Under the commitments the CMA will be closely involved in the development, implementation and monitoring of the proposals, including through the design of trials for example. It’s a substantial investment from the CMA, and we will be dedicating the right people — including data scientists, for example, to the job,” he added. “The commitments ensure that Google addresses any concerns that the CMA has. And suppose due problems cannot be resolved with Google. In that case, they explicitly provide for the CMA to reopen the claim and — if necessary — impose any interim measures needed to avoid harm to competition.
“So there’s no doubt this is a big undertaking. And it’s going to be challenging for the CMA, I’m sure of that. But personally, I think this is the sort of approach that is required if we are really to tackle the sort of concerns we’re seeing in digital markets today.”
Thornton also said: “I think as regulators, we do need to step up. We need to get involved before the harm materializes — rather than waiting after the event to stop it from materializing, rather than waiting until that harm is irrevocable… I think it’s a big move and it’s a challenging one but personally I think it’s a sign of the future direction of travel in a number of these sorts of cases.”
Also speaking during the regulatory panel session was FTC commissioner Rebecca Slaughter — a dissenter on the $5BN fine it hit Facebook with back in 2019 for violating an earlier consent order (as she argued the settlement provided no deterrent to address underlying privacy abuse, leaving Facebook free to continue exploiting users’ data) — as well as Chris D’Angelo, the chief deputy AG of the New York Attorney General, which is leading a significant states antitrust case against Facebook.
Slaughter pointed out that the FTC already combines a consumer focus with attention on competition but said that historically there has been a separation of divisions and investigations — and she agreed on the need for more joined-up working.
She also advocated for US regulators to get out of a pattern of ineffective enforcement in digital markets on issues like privacy and competition where companies have, historically, been given — at best — what amounts to wrist slaps that don’t address root causes of market abuse, perpetuating both consumer abuse and market failure. And be prepared to litigate more.
As regulators toughen up their stipulations, they will need to be prepared for tech giants to push back — and therefore be prepared to sue instead of accepting a weak settlement.
“That is what is most galling to me that even where we take action, in our best faith good public servants working hard to take action, we keep coming back to the same questions, again and again,” she said. “Which means that the actions we are taking aren’t working. We need different activities to keep us from having the same conversation again and again.”
Slaughter also argued that it’s essential that regulators not pile all the burden of avoiding data abuses on consumers themselves.
“I want to sound a note of caution around approaches that are centered around user control,” she said. “I think transparency and control are essential. I think it is really problematic to put the burden on consumers to work through the markets and use data, figure out who has their data, how it’s being used, and make decisions… I think you end up with notice fatigue; I think you end up with decision fatigue; you get very abusive manipulation of dark patterns to push people into decisions.
“So I really worry about a framework that is built at all around the idea of control as the central tenant or the way we solve the problem. I’ll keep coming back to the notion of what we need to focus on: where is the burden on the firms to limit their collection in the first instance, prohibit their sharing, and restrict abusive use of data. I think that that’s where we need to be focused from a policy perspective.
“I think there will be ongoing debates about privacy legislation in the US, and while I’m actually a powerful advocate for a better federal framework with more tools that facilitate aggressive enforcement, but I think if we had done it ten years ago, we probably would have ended up with a notice and consent privacy law and I think that that would have not been a great outcome for consumers at the end of the day. So I think the debate and discussion have evolved importantly. I also think we don’t have to wait for Congress to act.”
As regards more radical solutions to the problem of market-denting tech giants — such as breaking up sprawling and (self-serving) interlocking services empires — the message from Europe’s most ‘digitally switched on’ regulators seemed to be don’t look to us for that; we are going to have to stay in our lanes.
So tl;dr — if antitrust and privacy regulators’ joint working just sums to more intelligent fiddling around the edges of digital market failure, and it’s break-ups of US tech giants that’s what’s really needed to reboot digital markets, then it’s going to be up to US agencies to wield the hammers. (Or, as Coscelli elegantly phrased it: “It’s probably more realistic for the US agencies to be in the lead in terms of structural separation if and when it’s appropriate — rather than an agency like ours [working from inside a mid-sized economy such as the UK’s].”)
The lack of any representative from the European Commission on the panel was an interesting omission in that regard — perhaps hinting at ongoing ‘structural separation’ between DG Comp and DG Justice where digital policymaking streams are concerned.
The current competition chief, Margrethe Vestager — who also heads up digital strategy for the bloc as an EVP — has repeatedly expressed reluctance to impose radical ‘break up’ remedies on tech giants. She also recently referred to waive through another Google digital merger (its acquisition of fitness wearable Fitbit) — agreeing to accept several ‘concessions’ and ignoring significant mobilization by civil society (and indeed EU data protection agencies) urging her to block it.
Yet in an earlier CEPR discussion session, another panelist — Yale University’s Dina Srinivasan — pointed to the challenges of trying to regulate the behavior of companies when there are apparent conflicts of interest, unless and until you impose structural separation as she said has been necessary for other markets (like financial services).
“In advertising we have an electronically traded market with exchanges and we have brokers on both sides. When the competition was working in a competitive market, you saw that those brokers were acting in the best interest of buyers and sellers. And as part of carrying out that function, they were sort of protecting the data that belonged to buyers and sellers in that market, and not playing with the data in other ways — not trading on it, not doing conduct similar to insider trading, or even front running,” she said, giving an example of how that changed as Google gained market power.
“So Google acquired DoubleClick, made promises to continue operating in that manner, the promises were not binding and on the record — the enforcement agencies or the agencies that cleared the merger didn’t make Google promise that they would abide by that moving forward and so as Google gained market power in that market there’s no regulatory requirement to continue to act in the best interests of your clients, so now it becomes a market power issue, and after they gain enough market power they can flip data ownership and say ‘okay, you know what before you owned this data and we weren’t allowed to do anything with it, but now we’re going to use that data to for example sell our own advertising on exchanges’.
“But what we know from other markets — and from financial markets — is when you flip data ownership, and you engage in conduct like that that allows the firm to now build market power in yet another market.”
The CMA’s Coscelli picked up on Srinivasan’s point — saying it was a “powerful” one and that the challenges of policing “very complicated” situations involving conflicts of interests are something that regulators with merger control powers should be bearing in mind as they consider whether or not to green-light tech acquisitions.
(Just one example of a merger in the digital space that the CMA is still scrutinizing is Facebook’s acquisition of animated GIF platform Giphy. And it’s interesting to speculate whether had Brexit happened a little faster, the CMA might have stepped in to block Google’s Fitbit merger where the EU wouldn’t.)
Coscelli also flagged the issue of regulatory under-enforcement in digital markets as a key one, saying: “One of the reasons we are today where we are is partially historic under-enforcement by competition authorities on merger control — and that’s a theme that is extremely interesting and relevant to us because after the exit from the EU we now have a bigger role in merger control on global mergers. So it’s essential to us that we make the right decisions going forward.”
“Quite often we intervene in areas where there is under-enforcement by regulators in specific areas… If you think about it, when you design systems with vertical regulators in particular sectors and horizontal regulators like us or the ICO, we are more successful if the vertical regulators do their job. I’m sure they are more successful if we do our job correctly.
“I think we systematically underestimate… the ability of companies to work through whatever behavior or commitments or arrangement are offered to us, so I think these are critical points,” he added, signaling that a higher degree of attention is likely to be applied to tech mergers in Europe as a result of the CMA stepping out from the EU’s competition regulation umbrella.
Also speaking during the same panel, the EDPS warned that across Europe more broadly — i.e., beyond the small but engaged gathering of regulators brought together by CEPR — data protection and competition regulators are far from where they need to be on joint working, implying that the challenge of effectively regulating big tech across the EU is still a pretty Sisyphean one.
Indeed, the Commission is not sitting on its hands in the face of tech giant market power. At the end of last year it proposed a regime of ex ante regulations for so-called ‘gatekeeper’ platforms, under the Digital Markets Act. But the problem of effectively enforcing pan-EU laws — when the various agencies involved in oversight are typically decentralized across the Member States — is one critical complication for the bloc. (The Commission’s answer with the DMA was to suggest putting itself in charge of overseeing gatekeepers, but it remains to be seen what enforcement structure EU institutions will agree on.)
Clearly, the need for careful and coordinated joint working across multiple agencies with different legal competencies — if, indeed, that’s really what’s needed to adequately address captured digital markets vs. structural separation of Google’s search and adtech, for example, and Facebook’s various social products — steps up the EU’s regulatory challenge in digital markets.
“We can say that no effective competition nor protection of the rights in the digital economy can be ensured when the different regulators do not talk to each other and understand each other,” Wiewiórowski warned. “While we are still thinking about the cooperation, it looks a little bit like everybody is afraid they will have to trade a little bit of its own possibility to assess.”
“If you think about the classical regulators, isn’t it true that at some point we are reaching this border where we know how to work, we know how to behave, we need a little bit of help and a little bit of understanding of the other regulator’s work… Interestingly, there is — at the same time — the discussion about the splitting of the task of the American regulators joining the ones on the European side. But even the statements of some of the commissioners in the European Union saying about the bigger role the Commission will play in the data protection and solving the enforcement problems of the GDPR show there is no clear understanding what are the differences between these fields.”
One thing is clear: Big tech’s dominance of digital markets won’t be unpicked overnight. But, on both sides of the Atlantic, there are now a bunch of theories on how to do it — and a growing appetite for wading in.